Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18

Christian Huitema <huitema@huitema.net> Sun, 17 September 2017 04:21 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFB0127517 for <secdir@ietfa.amsl.com>; Sat, 16 Sep 2017 21:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veIRBuhr2RjF for <secdir@ietfa.amsl.com>; Sat, 16 Sep 2017 21:21:23 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFFBD1200F3 for <secdir@ietf.org>; Sat, 16 Sep 2017 21:21:23 -0700 (PDT)
Received: from xsmtp31.mail2web.com ([168.144.250.234] helo=xsmtp11.mail2web.com) by mx26.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1dtR57-00033l-0S for secdir@ietf.org; Sun, 17 Sep 2017 06:21:21 +0200
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp11.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dtR52-0005OW-KH for secdir@ietf.org; Sun, 17 Sep 2017 00:21:17 -0400
Received: (qmail 8126 invoked from network); 17 Sep 2017 04:21:15 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.91]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-sfc-nsh.all@ietf.org>; 17 Sep 2017 04:21:15 -0000
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, IETF Discussion Mailing List <ietf@ietf.org>, "draft-ietf-sfc-nsh.all@ietf.org" <draft-ietf-sfc-nsh.all@ietf.org>
References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <C53DE35A-4043-46A5-8525-FF273F205971@cisco.com> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> <C0C0D8D1-0D23-4AC4-94B1-9F10C6D93A46@cisco.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net>
Date: Sat, 16 Sep 2017 21:21:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <C0C0D8D1-0D23-4AC4-94B1-9F10C6D93A46@cisco.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.234
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.28)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJY8hyefn/FOeAH6Zsqubs62ND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23Ay97VuAo9HOF+4WPA88cNk5SvzZFcn5J62ab Al4JpFaCCwnU7/azu5UxZhQ9sHJhYOEkjsX7F8KmpUaZQHV+SWsC1ltxhvDAAiytf1zpGXO2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpKOHi0RYvlOYvJoUtCbvS/bfPQj1kOyxNFg33kI1TaC7CpXSTy88 yKXT59k+LMPEe4LisF0Dq9DuZcwm5uNxBQmpb0YnYvmU5PphG8LogcC6a8Mrc8quJ4btPpt/2FLu FENuK6ldck0juAg+FVtv+IOo4y6frMgdTo7c9I9ngwHJYd/jKzjiuDYHz/0WYr1rUy6ggDjF/JYa A95R4z1aC/OySQHb3iwsf1ON/gXoJDVrp17vcIhp4/vU15YpEcaF91b7LCVq2nuinYFw/C3rfJ2V 3KD8IdSHBSi9yjOsRb3k8wJfEo0cbb0YLkzPOD/FDLswybukjjR7SZbxkOJ/tGPwNhcKsc+Xm+VJ sLn9bJe22KGjjTPUPaUYynKQ5SwWK3B/3WCT/ywxqGyDcX7ymo81pn6M7II0pBZMP8Q2yl7HZ8cC 5NCzOtKFVG2OgcPUMeKVse1sVhWabI0/+PN3sILCmP4sL9m2Y1BvIAo6egCen+i6vxJ1XQV9OD+8 nG7yld4K6mLGc2whQNCsuCARgHQ=
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DWFnlXWiP1YtaIa_hAR_Nwt9wD4>
Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Sep 2017 04:21:27 -0000


On 9/14/2017 4:22 AM, Carlos Pignataro (cpignata) wrote:
> ...
> it’s not uncommon to forget how broadly understood assumptions and design criteria for a document are, when being knee-deep in work. This is probably the case here, in which scope should have been more explicit.
>
> For completeness, the document is the document plus its context. A peek at the normatively-cited RFC 7665, SFC architecture, (or at the charter as part of a Directorate review) would have proactively reduced your concerns, leaving the editorial need to make it very clear and explicit in “the document” (as opposed to your initial reaction).
I did read RFC 7665. Before writing the initial review, and again now as
a refresher. Yes, RFC 7665 mentions an "administrative domain". But it
is also a very abstract document, leaving open many possibilities. And
it does contain the text about sharing metadata along a function path
that gave me pause: "For example, an external repository might provide
user/subscriber information to a service chain classifier. This
classifier could in turn impose that information in the SFC
encapsulation for delivery to the requisite SFs. The SFs could in turn
utilize the user/subscriber information for local policy decisions.
Metadata can also share SF output along the SFP." The draft translates
the architecture into practical protocol specification. It is good to
include at that stage concrete protections.
> OK, we can qualify the campus network with “controlled”, or frankly remove it or choose a different example. It is, after all, an example.
I saw the "controlled" addition in your text, but I don't quite
understand what a "controlled campus network" is. I understand that one
of the goals is to place a variety of functions in separate boxes
independently of topology, but if I was managing a campus network I
would much rather place these functions in controlled spaces like data
centers rather than, say, student dorms. Not all places on the campus
will be tightly controlled. It might be simpler to just not mention
these campus networks.
...
> How would you suggest this can be strengthened? We do add some relevant text based on the next comment.
>
>> The draft mentions using IPv4 or IPv6 as transport. It seems
>> that in that case there should be some ingress/egress filtering, as in
>> "packets originating outside the service domain must be dropped if they
>> contain an NSH," and similarly must be drop on domain exit if they
>> contain an NSH.
>>
> This is a good suggestion. We can add some clarifying text after the first paragraph of the Security Considerations.
> This can take care of your previous comment as well.
I saw the text added in the latest draft. That's fine.

>> The new security section does provide a number of recommendations, such
>> as the obfuscation of metadata. That's definitely an improvement. But I
>> believe there are still issues.
>>
>> The first issue is that "Metadata privacy and security considerations
>> are a matter for the documents that define metadata format." That does
>> not give me a warm and fuzzy feeling at all. I understand that the
>> formats will be only registered "after IETF review", but these future
>> reviews would be much easier if the NSH mechanism defined at least a
>> baseline security posture, and maybe some generic mechanisms for
>> obfuscation or encryption.
> I do not know if future reviews might or might not be easier, since there would be a need for a reviewer to follow and read normative references, which practice shows not always happens... But, that aside, ease of future review for reviewers is not a design principle for NSH :-)
>
> That said, I agree that there is an opportunity to, without specifying, provide forward-looking guidance or references to potential work. We will add that in.

I see that you added references to "proof of transit" in draft-21. That,
and the reference to obfuscating subscriber info, certainly helps. It
seems that the security protection is based on three broad principles:

1) Encrypt the data in transit, using IPSEC or similar;

2) Obfuscate by default critical metadata such as subscriber info;

3) Encrypt some of the metadata.

That's not a bad posture, but I wish that you were explicit about the
threats. I am somewhat concerned that the "administrative domain"
approach leads to complacency, as in "my domain is secure, I am only
concerned with external leakage". I think it would be good to point at
explicit threats. Encrypt in transit addresses one type of threats,
adversaries tapping conduits to observe the data. But how about hacking
into an SFF? Or providing a "free" function that pays for itself by
collecting the meta-data? These all go into the idea that in a complex
system, it is good to compartment who routinely sees what information.
That's the rational motivating obfuscation and other such techniques,
and it would be nice to be explicit about it.

>
>> The second issue is that the security section provide recommendations
>> about solutions, but does not analyze the threats. In particular, one of
>> the threats that I find worrisome is, what happens if a specific
>> function in a service chain gets subverted?
> If a firewall or a router gets subverted, we likely have bigger problems. More below.
Maybe. Maybe not. What if an intrusion detection system gets subverted?
What if an accounting system gets subverted? You hope that the intrusion
will be detected shortly, but principles like "least privilege" are a
good way to provide defense in depth and minimize the damage during the
early stages of the intrusion.



>> I may be paranoid, but there is already an history of adversaries
>> attacking complex systems like data centers, network control systems or
>> corporate networks, not to mention campus networks. These adversaries
>> typically proceed by lateral movement after an initial penetration until
>> they get closer to their actual target inside the domain. I can see an
>> adversary trying to penetrate one of these domains in order to access
>> the metadata. In our case, it would try to find a weak link in the
>> service function chain. It maybe that one of the functions is deemed
>> benign, and thus was less secured than the others. But if all functions
>> see the metadata, then the adversaries will achieve their goal by
>> targeting that weak link. Some application of the "least privilege"
>> principle would be useful there.
> See above. Not all functions see the metadata, if so desired. For example, all SFFs do not see any metadata if the transport uses existing proven encryption techniques, IPsec, TLS, etc.

Yes. Somehow stating that and explaining why it matters would be nice.

-- Christian Huitema